keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Alex Dupre
ale at FreeBSD.org
Tue Mar 17 02:06:51 PDT 2009
Luigi Rizzo ha scritto:
> it is not related to dynamic rules, but to the fact that
> that the firewall is called before reassembling packets.
> The info (port numbers especially) is not available
> in the fragments so the firewall cannot do anything.
> The only solution would be to call the firewall
> after reassembly. I am not sure if there is any work in progress
> for that.
FWIW pf has "traffic normalization" feature ("scrub" keyword), that
reassembles packets before inspection. Unfortunately, it works with IPv4
packets, but lacks IPv6 support.
--
Alex Dupre
More information about the freebsd-ipfw
mailing list